At the bottom level, Application Privileges, 2 privileges are created: One privilege allows execution of the Accounts Payable application; the other privilege allows execution of the Accounts Receivable application.

At the next level up, Application Roles are created: An Accounts Payable application role and an Accounts Receivable application role. The corresponding application privileges are assigned to each application role.

On the next level up are three User Roles: Pay Clerk, Manager, and Receiving Clerk. The Pay Clerk user role is granted the Accounts Payable application role, so she can execute the Accounts Payable application. The Receiving Clerk user role is granted the Accounts Receivable application role, so he can execute the Accounts Receivable application. The Manager user role is granted both application roles.

The final top level contains the individual users, who are granted appropriate User Roles.